New research being presented today at the Black Hat security conference in Las Vegas claims that exploiting a vulnerability in Windows Update to downgrade Windows to an older version could expose a host of old vulnerabilities and give attackers complete control over the system. Microsoft says it’s working on a complex process to carefully fix the issue, known as “downdating.”
Alon Leviev, the SafeBreach Labs researcher who discovered the flaw, says he began looking for possible avenues for a downgrade attack after seeing a shocking hacking attack last year that used malware (called the “BlackLotus UEFI Bootkit”) to downgrade the Windows Boot Manager to an older, vulnerable version. After scouring Windows Update flows, Leviev found a way to strategically downgrade Windows – either the entire operating system or just specific components. From there, he developed a proof-of-concept attack that leveraged this access to disable a Windows protection called Virtualization-Based Security (VBS), ultimately targeting highly privileged code running in the computer’s core “kernel.”
“I discovered a downgrade exploit that was completely undetectable because it was performed using Windows Update itself, which the system trusts,” Leviev told WIRED ahead of his conference talk. “In terms of invisibility, I didn’t uninstall the update. I basically updated the system even though it was downgrading behind the scenes. So the system is unaware of the downgrade and remains up to date.”
Leviev’s downgrade ability results from a flaw in a component of the Windows Update process. To perform an upgrade, your PC basically places an update request in a special updates folder. It then presents this folder to the Microsoft update server, which checks and verifies the folder’s integrity. The server then creates an additional updates folder that only it can control, places and commits the updates there, and saves an action list (called “pending.xml”) that contains the steps of the update plan, such as which files will be updated and where the new code will be stored on your computer. When you reboot your PC, it runs the actions from the list and updates your software.
The idea is that even if the computer containing the updates folder is compromised, bad actors won’t be able to hijack the update process, since the important parts take place in the update folder managed by the server. However, after digging through various files in both the user’s and the server-side updates folder, Leviev discovered that while the action list in the server-side updates folder can’t be directly modified, one of the keys that controls it (“PoqexecCmdline”) is unlocked. This allows Leviev to manipulate the action list, and therefore the entire update process, without the system realizing that something is wrong.
With this control, Leviev discovered strategies to downgrade several key components of Windows, including the drivers that interface with hardware peripherals, the dynamic link libraries that contain system programs and data, and most importantly, the NT kernel, which contains the most core instructions for running a computer. All of these could be downgraded to older versions that contained known and patched vulnerabilities. Leviev then went further and discovered strategies to downgrade Windows security components such as the Windows Secure Kernel, Credential Guard, the Windows password and storage component, the hypervisor that creates and monitors virtual machines on the system, and VBS, the Windows virtualization security mechanism.
Although this technique doesn’t involve initial remote access to a victim’s device, it could enable true runaway attack for an attacker who already has initial access, as Windows Update is a highly trusted mechanism that could reintroduce many dangerous vulnerabilities that Microsoft has fixed over the years. Microsoft has said that it has not seen any attempts to exploit this technique.
“We are actively developing mitigations for these risks following an extensive process that includes thorough research, development of updates across all affected versions, and compatibility testing to ensure maximum customer protection while minimizing business disruption,” a Microsoft spokesperson told WIRED in a statement.
The company’s fix also involves disabling the vulnerable VBS system file, but this should be done carefully and incrementally as it could cause integration issues or reintroduce other unrelated issues that were previously resolved by the same system file.
Leviev emphasized that downgrade attacks are an important threat the developer community should consider because hackers are constantly looking for ways to get into targeted systems and they are stealthy and difficult to detect.
